Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
|
From: Ace Fekay [MCT] on 30 Dec 2009 09:58 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:ec4cOvSiKHA.1652(a)TK2MSFTNGP05.phx.gbl... >>> <<<SIGH>>> > >> :-) > > hehe... well, sounds like he changed his mind > as soon as he realized that it would be a hell > to mantain the forwarders list :D > > Yea, that would cut into your drinking time!! :-D
From: Ace Fekay [MCT] on 30 Dec 2009 09:57 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:OQX3kVTiKHA.2184(a)TK2MSFTNGP04.phx.gbl... > >> in such a case, ensure the DNS on the TS holds copies of the local >> domains, then set it up to forward all external queries to ODNS so >> that you'll have your filtering for the TS users and remove the ODNS >> forward from the SBS box so that you won't have NXDOMAIN/caching >> issues :) > > let me better sum it up > > Install DNS on the TS box, ensure that the DNS is AD integrated > > Configure DNS to hold a copy of your local zones (AD...) > <snipped> I just wanted to point out that if the zone is AD integrated, it will already have a copy of the AD zone(s). :-) Ace
From: Ace Fekay [MCT] on 30 Dec 2009 10:00 "ObiWan [MVP]" <obiwan(a)mvps.org> wrote in message news:eCSFR5TiKHA.3792(a)TK2MSFTNGP02.phx.gbl... > >>> exchange IMF <-> your DNS <-> OpenDNS <-> spamhaus DNS > >> No kidding. I didn't think of this scenario. So the rate limit could >> be quickly reached and everyone is blaming ODNS for it. > > Yes... although ODNS still plays a role here, see, their aggressive > use of caching and TTL overriding means that NXDOMAIN answers > returned by the DNSBL due to the rate limiter kicking in, will be kept > in cache for a quite long time causing hosts which should instead > be BLOCKED by the blacklist to get through; worse, such a thing > will affect ALL the systems using ODNS for resolution :P > > I've nothing against OpenDNS, they're offering a decent service > and helping to protect against "bad sites" but that's all, I won't > recommend using OpenDNS as a forwarder/resolver when it > comes to a server system or a business network for the reasons > seen in this thread and ... for some others as well :) > > > I'm sure they had a good reason to institute limits. It's probably meant for the home-owner, since it's a quick and free, whereas many companies (especially larger ones) have a third party handling this sort of function. :-) Ace
From: Leythos on 30 Dec 2009 10:12 In article <OsC1gDWiKHA.1460(a)TK2MSFTNGP06.phx.gbl>, aceman(a)mvps.RemoveThisPart.org says... > I'm sure they had a good reason to institute limits. It's probably meant for > the home-owner, since it's a quick and free, whereas many companies > (especially larger ones) have a third party handling this sort of function. > I'm sure that OpenDNS is means for SMALL, according to their website, not just homes, since most homes don't have SMTP servers. We have clients with 1 to 17 servers and 2 to 350 workstations. Most of the clients with a small shop will purchase a real firewall, but they won't spend the extra on web/smtp filtering services. OpenDNS gives them some control over what the employees can get access to - like being able to block web-email sites, to force them to use the company email system. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: ObiWan [MVP] on 30 Dec 2009 10:43
> I'm sure that OpenDNS is means for SMALL, according to their website, > not just homes, since most homes don't have SMTP servers. We have > clients with 1 to 17 servers and 2 to 350 workstations. Most of the > clients with a small shop will purchase a real firewall, but they > won't spend the extra on web/smtp filtering services. OpenDNS gives > them some control over what the employees can get access to - like > being able to block web-email sites, to force them to use the company > email system. Hmm... I know, we're in SBS-land here so my suggestion won't probably fit, but in general, when it comes to such scenarios, I prefer having a DNS on the mailserver box (or either a DNS dedicated to email service) and another one (or btw more than one) used by clients |